EdgeRouter - Site-to-Site IPsec VPN to Juniper SRX

April 13, 2018 19:42

Overview

Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Juniper SRX.

A Policy-Based VPN is characterized by the definition of local and remote subnets (proxy IDs). This type of VPN differs from a Route-Based VPN which is characterized by the usage of Virtual Tunnel Interfaces (VTIs) and routing entries.

NOTES & REQUIREMENTS:

Applicable to EdgeOS 1.9.7 + firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI), Junos, and advanced networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configurations used in this article.

For the purpose of this article it is assumed that the routing and interface configuration is already in place and that reachability has been tested.

The UDP ports and protocols relevant to IPsec are:

UDP 500 (IKE)

ESP (Protocol 50)

UDP 4500 (NAT-T)

The type of VPN that will be created is called a Policy-Based VPN which uses remote and local subnets, otherwise known as proxy IDs. These values need to match exactly between the two peers and need to be mirrored images of each other. Only the prefixes defined in the proxy IDs will be carried over the tunnel. In the example ER has the 192.168.1.0/24 present on the LAN side, whereas the Juniper side uses 172.16.1.0/24.

The first part of the configuration focuses on the ER, afterwards the VPN will be set up on the SRX.

CLI STEPS:Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Exclude IPsec traffic from NAT and allow the automatic creation of the firewall rules.

Note: The choices for SAs in this example are based on optimizing the VPN for performance, stability and security. The IKE proposal focuses on security (AES256 + SHA256), whereas the ESP proposal focuses on performance (AES128 + MD5). Whatever set of SAs are chosen, make sure that the settings for Phase 1 (P1) and Phase 2 (P2) match on both sides of the connection.

6. Define the local source address (public IP) of the Site-to-Site VPN connection.

set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

Note: It is also possible to use a non-static IP address for the WAN connection. In the case of DHCP, please use set ... peer 192.0.2.1dhcp-interface eth0. For PPPoE interfaces or load-balancing scenarios it is currently recommend to use set ... peer 192.0.2.1 local-address 0.0.0.0 over local-address any.

7. Link the IKE proposal to the Site-to-Site connection.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0

8. Create a tunnel that defines the remote and local subnets (proxy IDs) and link the ESP proposal.

Please make sure that the latest stable version of Junos is being used and that the device is capable of reaching the internet. The Juniper side of the Site-to-Site VPN connection is based on the following IPsec article: Configuring a Policy-Based VPN

CLI STEPS:Access the Junos command line interface (CLI).

1. Enter configuration mode.

configure

2. Link the interfaces to the relevant zones and allow IKE (UDP500) on the WAN interface.

Note: The tunnel pair-policy statement links the ‘untrust to-zone trust’ to the ‘trust to-zone untrust’ policy and vice versa. These policies basically link the address books to the IPsec tunnel and define the local and remote subnets (proxy IDs).

5. Make sure that the IPsec traffic policies are matched before the existing policy rules.

Note: This article assumes that Source-NAT has not already been configured on the device. If the NAT rule already exists, please make sure that the new IPsec rule is placed in front of the existing NAT rule using the insert statement.

8. Create the IKE proposal (IKEProposal) matching the defined SAs on the EdgeRouter.

Note: This is also live capture. If there is no output that means that the traffic is either not being allowed through the firewall. Alternatively you can use the show vpn log | no-more command to view the entire IPsec log history.

5. Verify the IPsec Security Associations (SAs) and statistics on the SRX: